Date: Wed, 29 Jun 2016 13:20:58 +0000 From: "C. L. Martinez" <carlopmart@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: Problems with pf rules for intercept squid proxy Message-ID: <20160629131951.GA12552@beagle.bcn.sia.es> In-Reply-To: <CALfReycmb%2BtW%2BRZMPiFqUwUbVmG7GbD4vAwt-igriL_i9x4Stw@mail.gmail.com> References: <20160628130759.GA13226@beagle.bcn.sia.es> <2822287D-FE6F-4A4B-995A-639B696911DF@FreeBSD.org> <20160629113324.GA10436@beagle.bcn.sia.es> <CALfReycmb%2BtW%2BRZMPiFqUwUbVmG7GbD4vAwt-igriL_i9x4Stw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Yep, is it not too dangerous to assign 0770 to /dev/pf?? Anyway, I have tried, but with same error: traffic is denied by squid ... On Wed 29.Jun'16 at 13:39:46 +0100, krad wrote: > have you got these lines in your /etc/devfs.conf file > > > own pf root:squid > perm pf 0770 > > you also need lines like this in the squid.conf > > http_port 192.168.1.1:3128 intercept > > > > On 29 June 2016 at 12:33, C. L. Martinez <carlopmart@gmail.com> wrote: > > > On Tue 28.Jun'16 at 19:37:37 +0200, Kristof Provost wrote: > > > > > > > > > On 28 Jun 2016, at 15:07, C. L. Martinez wrote: > > > > I have some problems with my pf rules on a FreeBSD 10.3 host that acts > > > > as a squid intercept proxy. My actual pf rules are: > > > > > > > > rdr pass on $vpnif proto tcp from $int_network to any port http -> lo0 > > > > port 5144 > > > > rdr pass on $vpnif proto tcp from $int_network to any port https -> lo0 > > > > port 5145 > > > > > > > > At first stage it seems that these rules works, but don't. Traffic is > > > > redirected to squid, but squid denies all connections: > > > > > > > > 1467111934.502 1 172.22.55.1 TCP_DENIED/403 4221 GET > > > > http://www.osnews.com/ - HIER_NONE/- text/html > > > > > > > > Using same squid.conf's file under an OpenBSD test machine, squid > > works > > > > without problems. For this reason, I don't think there is some problem > > > > with my squid's config. The only difference between this OpenBSD host > > > > and FreeBSD are the pf rules. > > > > > > > You may have a different squid version, or they may be patched > > differently. > > > Your redirect rules are working, as demonstrated by the fact that squid > > gets > > > a request, and replies to it. > > > > > > Note that pf does not change your HTTP payload, it only affects TCP. In > > > other words: if Squid sees the connection (and it does) it’s a Squid > > > problem. > > > > > > Also note that you’re redirecting on FreeBSD, but using divert-to on > > > OpenBSD. > > > This may be triggering different behaviour from Squid. The man page says > > > that with divert-to: > > > > > > The packets will not be modified, so getsockname(2) on the socket > > will > > > return > > > the original destination address of the packet. > > > > > > That might be affecting an ACL in Squid. > > > > > > Regards, > > > Kristof > > > > Thanks Kristof. I am using squid installed from pkg under a FreeBSD 10.3, > > fully updated: > > > > Squid Cache: Version 3.5.19 > > Service Name: squid > > configure options: '--with-default-user=squid' '--bindir=/usr/local/sbin' > > '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' > > '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' > > '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' > > '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' > > '--without-gnutls' '--enable-auth' '--enable-build-info' > > '--enable-loadable-modules' '--enable-removal-policies=lru heap' > > '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' > > '--disable-translation' '--disable-arch-native' '--enable-eui' > > '--enable-cache-digests' '--enable-delay-pools' '--disable-ecap' > > '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' > > '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' > > '--enable-ipv6' '--enable-kqueue' '--with-large-files' > > '--enable-http-violations' '--without-nettle' '--enable-snmp' > > '--enable-ssl' '--with-openssl=/usr' 'LIBOPENSSL_CFLAGS=-I/usr/include' > > 'LIBOPENSSL_LIBS=-lcrypto -lssl' '--enable-ssl-crtd' > > '--disable-stacktraces' '--enable-ipf-transparent' > > '--enable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' > > '--enable-forw-via-db' '--enable-wccp' '--enable-wccpv2' > > '--with-heimdal-krb5=/usr' 'CFLAGS=-I/usr/include -O2 -pipe > > -fstack-protector -fno-strict-aliasing' 'LDFLAGS=-L/usr/lib -pthread > > -fstack-protector' 'LIBS=-lkrb5 -lgssapi -lgssapi_krb5 ' > > 'KRB5CONFIG=/usr/bin/krb5-config' '--enable-auth-basic=DB SMB_LM > > MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam NIS' > > '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip > > time_quota unix_group' '--enable-auth-negotiate=kerberos wrapper' > > '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=aufs diskd rock ufs' > > '--enable-disk-io=DiskThreads DiskDaemon AIO Blocking IpcIo Mmapped' > > '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' > > '--enable-storeid-rewrite-helpers=file' '--prefix=/usr/local' > > '--mandir=/usr/local/man' '--infodir=/usr/local/info/' > > '--build=amd64-portbld-freebsd10.1' 'build_alias=amd64-portbld-freebsd10.1' > > 'CC=cc' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fstack-protector > > -fno-strict-aliasing ' 'CPP=cpp' --enable-ltdl-convenience > > > > According to this options, intercept is enabled ... Then, I don't > > understand why it doesn't works ... > > > > -- > > Greetings, > > C. L. Martinez > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > > freebsd-questions-unsubscribe@freebsd.org" > > -- Greetings, C. L. Martinez
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160629131951.GA12552>